Share this content

GDPR: Are You Ready?

11th Apr 2018
Share this content
People in a modern office using computers to share information
Photo by Alex Kotliarskyi on Unsplash
Under GDPR, businesses will need to make sure their systems are secure

In just over a month, the General Data Protection Regulation (GDPR) (EU) 2016/679 will be implemented. Philip Fisher outlines what practices must do before the deadline. 

Given the fact that accountants are ordered and organised people, it would be nice to imagine that every reader is sick to death of the subject and each practice in the country is already set up to operate within the regulations, following a smooth transition in a fortnight’s time.

In reality, life is not like that. While the majority of practices will have everything in place by the deadline, I would not be surprised to learn that a significant percentage has barely started its preparations yet, happily using that popular accounting principle – leave everything to the last minute.

There is an extra provocation for approximately half of the population, including many accountants, given that this regulation has been handed down by the European Parliament and Council; organisations so hateful that they have forced the UK to depart from its long association with our neighbours across the English Channel.

Unfortunately, at present, there is no exemption from legislation on the basis that it has been laid down by the EU. Although that (or its equivalent) will come in time. Even so, our own dear government, which rails against euro red tape on a regular basis, seems to have no immediate plans to overturn GDPR.

Having said that, many might argue that there would be a strong justification for considering such action given that implementation will undoubtedly be an administrative nightmare, especially for smaller organisations including most accounting firms.

The consequence is that we will have to like it and lump it, which means ensuring that potentially substantial and robust internal structures must be in place by 25 May.

Many readers might now be moving on to the next article on the basis that they are smugly grinning like Cheshire cats in the knowledge that their GDPR strategy has been in place for months. For anyone left, here is a brief rundown.

Main Obligations

At a headline level, it will be necessary to comply with the following matters.

  1. There must be a lawful basis for processing data. In reality, in the profession, this will almost always mean that advance consent to the processing of personal data for at least one specific purpose has been obtained.
  2. Such consent must be explicit to the data collected. Going a stage further, data controllers must be able to prove consent, which may be withdrawn at any time.
  3. Mirroring the money laundering legislation, it will be necessary to appoint a data protection officer. They will need specific training, particularly around data security including dealing with cyber attacks and attaining a full understanding of how to deal with personal and sensitive data, of which there could be much in our sector. Make no mistake, at times this will be an onerous role, even for those trained in the skills of auditing, particularly at implementation but also occasionally on an ongoing basis. Therefore in most firms, a whole team will be needed to ensure compliance.
  4. Data protection must be designed into the development of business processes with privacy settings at a high level to ensure that the whole process complies with the regulation and that data is not processed unless strictly necessary.
  5. Data breaches will clearly be one of the most important areas with which the data protection officer will have to deal.
  6. Clients and staff members whose personal data records are held must be given a right of access and a right of erasure in certain circumstances.
  7. There is an obligation to keep records of processing activities ready for auditors.

Sanctions

We all love sticking our heads in the sand and in many cases, never suffer as a result of doing so. However, in this case, it might not be the best policy given the swingeing sanctions for those who fail to comply.

While we can all probably put up with the occasional warning for a first offence or non-intentional failure to comply and would expect to face regular data protection audits, things get considerably worse.

Potentially if there is a breach your firm could be subject to a fine equal to the greater of up to €20m or up to 4% of the annual worldwide turnover of the preceding financial year in respect of certain provisions and half of these levels for less serious offences.

Action

This is only a brief guide. The best bet for last-minute managers is to head to AccountingWEB’s GDPR hot topics section. This provides a complete lowdown on the obligations and the least painful way of ensuring that your practice does not fall foul of the new law.

Replies (34)

Please login or register to join the discussion.

avatar
By AnnAccountant
11th Apr 2018 10:22

Probably not.

Then again, how could we be as, last time I checked our Institutes have not updated their Engagement Letter templates for GDPR yet. No doubt they have other things to do - such as fining members and not contesting heavy handed powers being given to HMRC.

I also understand official guidance has not been published yet.

I'll head to the AW GDPR section at some point (thanks for the link) but if it just consists of general high level comments (like all other GDPR stuff I've read to date) then it might not be that helpful on a practical level.

I suspect a lot of practices are hindered by this and are also reluctant to be one of thousands of similar practices that look to reinvent the same wheel.

The smaller firms that just do their actual work (rather than looking to mine or abuse data in any way) will be very similar and might not unreasonably wish to see specific practical guidance on each topic that is relevant to them - payroll, CT, accounts etc - and review, tweak and implement as needed.

Why would we spend hours reaching our own conclusions on (eg payroll issues and their solutions) when we can wait for a correct and accepted answer?

A bit like how none of us actually wrote a Bribery Act statement from scratch. Got one online and tweaked as appropriate.

This is a bit larger but the principle is the same. We're waiting for the specific guidance and the templates.

Anyone should feel free to tell me otherwise/point me to a good guide for the 'one man band'. I'd very much appreciate the latter as I'll be looking to see if I can hunt one down at some point soon.

Thanks (17)
Replying to AnnAccountant:
By jon_griffey
11th Apr 2018 12:05

Amen to that! My thoughts exactly.

Thanks (0)
Replying to AnnAccountant:
Mark Lee 2017
By Mark Lee
12th Apr 2018 09:29

I prefer to assume that the Professional Bodies are trying to do the right thing by their members. Certainly the advice and guidance provided by ICAEW to date shows they are not sitting around doing nothing.

I understand that we've been waiting on the ICO to answer various Qs which will then enable suggested updates to engagement letters to be published. No point in issuing draft guidance that needs to be revised shortly afterwards.

It's not ICAEW's fault if ICO is slow in providing answers as to how GDPR will be applied in practice.

As you probably know GDPR requires much more than simply updating engagement letters.

I prepared a simple guide as to the documents you probably need to prepare to evidence your attempts to comply. You can get it here (and also then the practical guide I wrote which gave rise to the list) http://www.bookmarklee.co.uk/gdpr This is probably as close as you'll get to a good guide for sole practitioners.

Thanks (3)
Replying to AnnAccountant:
avatar
By North East Accountant
17th Apr 2018 11:10

Agree 100%.

Thanks (0)
By ireallyshouldknowthisbut
11th Apr 2018 10:55

I have made a small adjustment to our T&C's about emails not being encrypted.

There are probably 1000's of regulation we don't comply with, and this will be just another one.

Thanks (6)
avatar
By Brads.Kings
11th Apr 2018 12:25

25 April or 25 May?

Thanks (0)
Replying to Brads.Kings:
Richard Hattersley
By Richard Hattersley
11th Apr 2018 13:31

Ah yes. Sorry if we've inadvertently added to anyone's panic. Thanks Brads - we've amended the intro.

Thanks (0)
Replying to Brads.Kings:
Philip Fisher
By Philip Fisher
11th Apr 2018 13:32

Oops, it isn't May yet. I am wishing my life away. Thanks for the polite correction.

Thanks (0)
Neil Armitage
By Neil Armitage
11th Apr 2018 13:00

I do wish the talk of massive fines could be moderated somewhat when discussing GDPR, those levels of sanctions are not applicable to probably 99.99% of the readership here.

The ICO has never levied the top fine available to them (£500k) under the existing DPA despite the likes of Talk Talk and Sony being so massively compromised. So the likelihood of a normal accountancy practice looking at fines or anywhere near the €20m mark is remote. The ICO have already stated it's less about the stick and more about the carrot

Thanks (3)
JCACE
By jcace
11th Apr 2018 15:22

And the requirement to appoint a DPO only exists if:
1. you are a public authority (except for courts acting in their judicial capacity);
2. your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
3. your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
I would therefore suggest that most firms reading this forum will not need to appoint such an officer, but that if they choose to do so, they should be prepared to do as you have laid out at point 3.

Thanks (0)
Mark Lee 2017
By Mark Lee
12th Apr 2018 09:21

Hmm. Well done Philip although I'm not sure I agree that every accountancy firm needs to appoint a Data Protection Officer.

The GDPR introduces a duty to appoint a data protection officer (DPO) only if you are a public authority, or if you carry out certain types of processing activities. This will rarely be the case for accountancy firms.

Indeed, I've been told that some larger firms are appointing Data Privacy Officers instead. Same initials but the appointees will not have the protection afforded via GDPR to Data Protection Officers.

Thanks (0)
avatar
By adambl
12th Apr 2018 11:03

Am I the only sole trader tax practitioner that is struggling to understand EXACTLY what this means and what I need to be doing? Like many others I prepare Tax Returns and accounts with software on the Cloud and e-mail them to clients for approval. I also handle payrolls for clients and submit under RTI and deal with Auto Enrolment using the same payroll software. I NEVER send marketing letters to clients.

Any very simple advice as to what I should be doing?

Thanks (7)
Replying to adambl:
avatar
By murphy1
17th Apr 2018 10:06

Most definitely not! I have joined 3/4 webinars, and still no further forward. They are all very much above the level we need.

Thanks (1)
Replying to adambl:
avatar
By John Wheeley
17th Apr 2018 10:29

Adambl, I am in exactly the same position as you.

Does anybody have a skeleton of a form that I can send out to clients to get their signature on ?

Thanks (0)
Replying to John Wheeley:
avatar
By Tobystevens
17th Apr 2018 10:33

You don’t need consent as a lawful basis for processing *client* data for the purpose of providing accounting services, you’re already covered under A6.1(b).

Thanks (0)
Replying to adambl:
avatar
By uktaylor
17th Apr 2018 10:32

I feel the same. Totally lost with GDPR. Not sure what I am to do or what I should be informing my clients if at all. I am an AAT Member and haven't received anything from them that can guide me.

Thanks (1)
Replying to adambl:
By Duggimon
17th Apr 2018 11:07

You can't email things for approval unless your email is encrypted, other than that you're fine. IRIS Openspace is a free web portal that is password protected and compliant, there are probably others. It's very easy to use and works fine for us.

Email is not secure at all. Think on it as sending a letter but without an envelope as essentially it's an electronic version of that.

Thanks (1)
Replying to Duggimon:
By djn24
17th Apr 2018 11:52

I'm not 100% sure that you are correct with this.
I asked this a while ago and was told that it was recommended but not compulsory.
I wonder if some people are scare mongering to make money?

Thanks (0)
Replying to djn24:
avatar
By Tobystevens
17th Apr 2018 12:09

The GDPR A.32 talks about “taking into account the state of the art, the costs of implementation...as well as the risk...the controller...shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk..”

That means that for a small practice, nobody’s expecting them to build a secure mail infrastructure, but there’s no question that sending bulk or special categories (sensitive) personal data by email would not be considered to be sufficiently secure. This applies just as much under current DPA, but given that the ICO has traditionally not been too hungry to enforce, business such as small accountants have got away with poor controls - until something goes wrong.

A practical solution would be to use something like Sharefile and offer that to clients who choose to use it. If they do not want it, and confirm that they are satisfied with regular email for communications (so long as these don’t include sensitive/bulk data) then that would probably be fine as a discretionary decision. It’s hardly expensive, and whilst there’s a small overhead in effort, if it saves both the client account and the scrutiny of the ICO then that’s got to be a win.

Thanks (0)
avatar
By Tobystevens
17th Apr 2018 10:27

I’m curious about the assertion that consent will be required for processing. This is inaccurate advice that will drive many practices down a high-risk and costly time-wasting exercise. Article 6 of GDPR defines 6 lawful bases for processing, of which consent is just one. Direct marketing can be enabled through legitimate interests (A6.1(f)) so long as the controller is careful to comply with the Privacy & Electronic Communications Regulations (2003), and client activities will be for performance of a contract to which the data subject is party (A6.1(b)).

GDPR is a big and permanent change in information rights and freedoms, but for practices that have already complied with the Data Protection Act (1998) and PECR, it shouldn’t be a show-stopper. And the ICO has made it clear that there is no appetite to apply those fearsome fines, which are being used for scaremongering by some disreputable consultants and journalists.

GDPR is to be taken seriously, but don’t be fooled into poor commercial decisions by the fear, uncertainty and doubt.

Thanks (3)
avatar
By jonmst2
17th Apr 2018 10:30

admbl - you are not on your own!! I cannot make head nor tail of this either.

Thanks (0)
Jennifer Adams
By Jennifer Adams
17th Apr 2018 10:35

As a small practitioner I originally wondered what all the fuss was about and then when I did a bit of digging worried about the time it would take to comply.
I went to a networking meeting where everyone seemed to be worried so I set aside time to find out ...
and the fruits of my labour are shared in this article:
https://www.accountingweb.co.uk/tech/tech-pulse/gdpr-and-the-small-accou...

There is such a lot out there about GDPR that its difficult to know what needs to be read and what can be ignored. I thought other accountants would have the same problem hence the article based on my findings.
The article has been purposely written in bullet point format and gives links to templates that can be used for your 'audit' and to create the 'policy document'.
Re Engagement letters - as my article states:
"Engagement letters for tax practitioners are currently being worked on jointly by AAT, ACCA, ATT, CIOT and STEP. The working party of these professional bodies is working towards issue of the updated guidance and template letters in early summer 2018".... there is no update.
But there is really only one document you need to read and that is Mark Lee's ICPA guide. This is a must to be used as the main textbook. It sets out the process in a clear and concise way.

Thanks (0)
avatar
By Ian McTernan CTA
17th Apr 2018 10:43

GDPR is just another way for people to try and squeeze money out of us- for seminars, webinars, training, blah blah.

It's targeted at large firms.

Compliance is easy- make sure you have permission from your client to do the things you do for them, and ensure you hold the information securely.

Easy for a small firm, which doesn't spam clients with endless mailshots, offers, sell information to third parties, etc.

Pretty much sums up everything that is wrong with the monolithic bureaucracy that is the EU - huge hammer to address a simple issue.

Thanks (2)
avatar
By johnjenkins
17th Apr 2018 10:50

I'm not being flippant, but with Mr. Putin et al being able to get what information they want from us all, when they want, what is the point?
I use common sense with all these "rules and regulations" so should everyboby else.

Thanks (0)
Replying to johnjenkins:
avatar
By Tobystevens
17th Apr 2018 11:07

johnjenkins wrote:

I use common sense with all these "rules and regulations" so should everyboby else.

Good luck with that then. This is a permanent change in the law (Brexit will only make it more complex as the new Data Protection Bill is enacted to embed GDPR in UK law, plus additional requirements), and UK practitioners are going to find their business clients asking them to evidence their readiness as part of their controller-controller assessments. If you can’t demonstrate accountability then at best,over time you’ll witness an erosion of your client base; at worst, the ICO will be all over you like a rash when a client complains about failure to uphold information rights.

Most of what’s in GDPR is already covered in DPA, so if you’re able to do DPA (which has been around for 20 years) then this shouldn’t be a nightmare.

Thanks (0)
Replying to Tobystevens:
By djn24
17th Apr 2018 11:58

Tobystevens wrote:

johnjenkins wrote:

I use common sense with all these "rules and regulations" so should everyboby else.

Good luck with that then. This is a permanent change in the law (Brexit will only make it more complex as the new Data Protection Bill is enacted to embed GDPR in UK law, plus additional requirements), and UK practitioners are going to find their business clients asking them to evidence their readiness as part of their controller-controller assessments. If you can’t demonstrate accountability then at best,over time you’ll witness an erosion of your client base; at worst, the ICO will be all over you like a rash when a client complains about failure to uphold information rights.

Most of what’s in GDPR is already covered in DPA, so if you’re able to do DPA (which has been around for 20 years) then this shouldn’t be a nightmare.

I don't think many potential/existing clients of small firms would ask a about their GDPR process before coming on board/leaving as a client, so can't see client numbers being affected in any way. Honestly don't think they care.
99.9% of accountants are responsible with the data they hold and only use it do the job. This GDPR seems overkill for the small business.

Thanks (2)
Replying to Tobystevens:
avatar
By johnjenkins
17th Apr 2018 12:24

My clients use common sense as well so I don't think I will be losing any.

Thanks (0)
avatar
By johnjenkins
17th Apr 2018 10:51

Anything to do with data protection is a joke.

Thanks (0)
a
By RichardPulseCyber
17th Apr 2018 12:44

An interesting article with some solid content, however the "need for consent" is consistently misinterpreted in the media - and this is another example. In addition, not every organisation will need to appoint a DPO...

Legitimate Interest or Consent?

The absolute need to gain Consent (and to apply that as the only possible lawful basis, through which personal data can be processed) is the greatest GDPR myth of all.

Even with less than 6 weeks to go to May 25th, this remains the case – and many accountancy practices remain focused (and panicked) on identifying how to go about gaining Consent. In fact, Legitimate Interest would be a perfectly valid lawful basis in many instances, and Consent does not need to be obtained.

As Elizabeth Denham (Information Commissioner) herself has quoted, “Headlines about consent often lack context or understanding about all the different lawful bases businesses and organisations will have for processing personal information under the GDPR.”.

Unfortunately this particular article falls into the same trap, and Legitimate Interest is again overlooked as a valid lawful basis for the processing of personal data.

In general the accuracy of information around GDPR via social media, blogs and articles is mixed at best, so I would urge anyone with any concerns or questions about their compliance journey – to make the ICO website a familiar port of call.

Legitimate Interest or Consent? Well, firstly we must consider the nature of the data subject and the processing of the personal data. Is it B2B or B2C? The difference is significant within the GDPR.

B2B (Business to Business): If your product or service is of relevance to the recipient professionally, then you can market to them without opt-in consent for particular channels, like email and text

However, an opt-out option must be used. This applies only when marketing to corporate entities; limited companies, LLPs, partnerships in Scotland and government departments. Legitimate Interest is a valid lawful basis, as long as a 14 point LIA is conducted for each data subject and that a 3-point balancing test is carried out. The key message being the need to ensure (in every instance) that the rights, freedoms and interests of the data subject are not outweighed by those of the data controller. In addition it is essential to always provide a clear, transparent and easy to use “Opt-Out” option for the data subject, when applying Legitimate Interest as your lawful basis.

B2C (Business to Consumer): Opt-in consent is required with all the consent rules applying. Once marketers have received a subject’s consent to process their data, they may use other personal data such as the subject’s purchase history or location to tailor their marketing as long as they can prove it’s of legitimate interest to the subject. This applies when marketing to sole traders or partnerships.

This is further reinforced by the Direct Marketing Association (DMA), who have clearly stated that B2B marketing activities can apply legitimate interest as the legal basis for electronic marketing, because PECR does not apply.

Data Protection Officers

A second and significant inaccuracy in the article is the suggestion that every practice will need to appoint a Data Protection Officer (DPO). Not so, and it’s not that straightforward.

Under Article 37 of the GDPR, there are 3 scenarios where the appointment of a DPO by a controller or processor is mandatory:

1. The processing is carried out by a Public Authority
2. The core activities of the controller or processor consist of processing operations which require “regular and systematic processing of data subjects on a large scale” or
3. The core activities of the controller or processor consist of processing on a “large scale of sensitive data “(Article 9) or data relating to “criminal convictions and/or offences” (Article 10).

The ‘Guidelines on Data Protection Officers’ published by the Article 29 Working Party (“WP29”) provide clarity on requirements contained in Articles 37, 38 and 39 of the GDPR. Understanding whether or not an organisation needs to appoint a DPO, depends on the scale/scope of the processing operations - and whether they fall within scope of Article 37. If you are unsure whether your organisation needs to appoint a DPO, simply ask the ICO or do some reading of Article 29.

If an organisation carries out the type of processing activities above (and/or is a public authority), then it will be required to appoint a DPO under the GDPR – be it external or internal.

It is essential to note that if an organisation does not meet the requirements in the GDPR (instead, voluntarily deciding to appoint a DPO) then the same requirements that apply to mandatory DPOs will still apply.

Importantly, if an organisation decide not to appoint a DPO, the WP29 recommends documenting the reasons.

Hopefully this is helpful to anyone worried (or in doubt) about Consent and/or Legitimate Interest, and whether you need to appoint a DPO. I would be delighted to discuss any of this in more depth, either via this thread or through direct message.

Richard

Thanks (3)
avatar
By VP
17th Apr 2018 13:45

I read the below link from ACCA on Aweb. It mades it all a bit clearer for me as a sole practitioner

https://www.accountingweb.co.uk/community/industry-insights/gdpr-how-to-...

Thanks (0)
avatar
By johnjenkins
18th Apr 2018 11:22

Further to my previous comment that "data protection" is a joke.
Landing cards of "windrush" people were destroyed because of.............................................wait for it....................................."DATA PROTECTION". I rest my case. "Thank goodness", I hear you say.

Thanks (0)
avatar
By Aismile
24th Apr 2020 04:45
Thanks (0)
avatar
By geekykunj
05th Jun 2020 10:55

if you want to earn money online in hindi read full article
Online Paise Kaise kamaye

Thanks (0)